What s New in Security Analytics 10.4 Be the Hunter.. Not the Hunted
Attackers Are Outpacing Detection Attacker Capabilities Time To Discovery Source: VERIZON 2014 DATA BREACH INVESTIGATIONS REPORT 2
TRANSFORM Visibility Analysis Intelligence-Driven Security Action 3
Security Analytics 10.4 Delivers.. Complete Visibility Rapid Investigations SIEM & Beyond Analytics Prioritized Incident Management Scalable and Modular Platform 4
5
Complete Visibility & Rapid Investigations 6
Expanded Collection Options 10G Support Netflow v5 and v9 Support Less critical network segments Internal network segments to gain insight into lateral movement activity Support 250+ Log Sources Support for CEF formatted logs Centralized Event Source Monitoring Improved Windows collection from multiple domains 7
Enhanced Network Investigations Accelerated UI performance Improved Session Reconstruction Streamlined analyst workflow Enhanced search functionality Choose to search on Meta, RAW, or all data Over 30+ Usability enhancement to improve day to day investigations. 8
Intellisense for advanced query search 9
Leveraging Meta Groups to Query 10
Enhanced Search Capabilities 11
Enhanced Content Search - Logs 12
Investigation ECAT Lookup 13
SIEM and Beyond Analytics 14
Event Stream Analytics SA s Real-Time Detection and Correlation Engine. Packets Correlates Logs, Packets, Netflow and Endpoint Meta Leverages RSA provided detection rules via Live Logs NetFlow LIVE Alerts User-configurable rule-builder Scales to 100k EPS per Appliance Endpoint 15
Centralized Rule Management 16
Alert Enrichment Options Flexible enrichment options: 3 rd party database queries Static tables & CSV files Geo/IP lookup Results from Advanced Analytics Requires Analytics Warehouse 17
Enhanced Notification Capabilities Leverage ESA generated Alerts with existing tools or as part of SA s Incidents. Flexible notification options: E-mail SNMP Syslog to include CEF format User-defined Script User Configurable Templates 18
Malware Analytics Updates Introducing Malware Dashboards with user-configurable thresholds Ability to integrate Malware Analytics into Incident Management feature Streamlined file submission capabilities Adhoc and Folder ingest. File Browser re-introduced with improved results & filter options 19
Data Science Driven Advanced Analytics Identify Outlier activity that could be indicative of under the radar threat activity Generate a Risk Rating based on nature of Anomaly Includes reports that Analysts can leverage to investigate. Introducing 3 BETA Analytics Models: Suspicious Domains Suspicious DNS Activity Host Profile Requires: Either MAPR or Pivotal HD Analytics Warehouse Packet Meta for at least 7, ideally 30 days. 20
Enabling Better Detection with Content Monthly Reports and Analytics content to deliver more value to customers. Over 195 application rules, 75 correlation rules. Several high profile specific threat updates: Heartbleed, IE9 Zero Day Game Over Zeus Shell crew Boleto Fraud Ring Many More in the Pipeline Future focus on Identity, Cloud and Expanded Threat Indicators SA Nailed it! RSA Security Analytics provided us the best view of attempts and issues on our network, better than any other product. 21
Prioritized Incident Management 22
Incident Management Event Stream Analytics ECAT Malware Analysis Investigations (Adhoc) 23
Incident Management Capabilities Streamlines analyst workflow, highlighting value of SA Assign, update and track incidents and journal natively in product Aggregates alerts from logs, packets, malware analysis and endpoint data into prioritized incidents Quickly take action directly from the investigation workflow Incident Management is a Feature of Event Stream Analytics 24
Centralized Alert Browser 25
Configurable Incident Correlation Rules 26
Centralized Incident Queue 27
Incident Workflow 28
Create and Assign from Investigation 29
User-Configured Incident Notifications 30
Workflow Integration Options Integrates with RSA Security Operations Management (SecOps) SA forwards alerts and associated events Capability to disable SA incident workflow to eliminate competing workflow queues Options to integrate with 3 rd party workflow tools. 31
Platform Enhancements 32
Platform Enhancements Centralized SA Health & Wellness Streamlined update infrastructure Centralized user management Support for SecurID Two-Factor Authentication (2FA) Archiver Back-up & restore options Upgraded storage options 33
Scalable & Modular Architecture 34
RSA Security Analytics Architecture Visibility LIVE Analysis Action Packets Capture Time Data Enrichment Logs LIVE Security Operations Security Operations LIVE NetFlow Endpoint RSA LIVE INTELLIGENCE Threat Intelligence Rules Parsers Feeds Reports RSA Research 35
For More Details.. Global Summit Session Podcasts http://globalsummit.rsa.com/ Security Analytics Community http://rsa.im/sacommunity RSA Speaking of Security Blog http://blogs.rsa.com Release Notes & User Documentation Both published as part of GA release later this month 36
THANK YOU